One-key MAC

One-key MAC (OMAC) is a message authentication code constructed from a block cipher much like the CBC-MAC algorithm.

Officially there are two OMAC algorithms (OMAC1 and OMAC2) which are both essentially the same except for a small tweak. OMAC1 is equivalent to CMAC, which became an NIST recommendation in May 2005.

It is free for all uses: it is not covered by any patents.
In cryptography, CMAC is a block cipher-based message authentication code algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. This mode of operation fixes security deficiencies of CBC-MAC (CBC-MAC is secure only for fixed-length messages).

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name XCBC and submitted to NIST. The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys. Iwata and Kurosawa proposed an improvement of XCBC and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers. They later submitted OMAC1, a refinement of OMAC, and additional security analysis. The OMAC algorithm reduces the amount of key material required for XCBC. CMAC is equivalent to OMAC1.

To generate an ℓ-bit CMAC tag (''t'') of a message (''m'') using a ''b''-bit block cipher (''E'') and a secret key (''k''), one first generates two ''b''-bit sub-keys (''k''₁ and ''k''₂) using the following algorithm (this is equivalent to multiplication by ''x'' and ''x''² in a finite field GF(2^''b'')). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

# Calculate a temporary value ''k''₀ = ''E_k''(0).
# If msb(''k''₀) = 0, then ''k''₁ = ''k''₀ ≪ 1, else ''k''₁ = (''k''₀ ≪ 1) ⊕ ''C''; where ''C'' is a certain constant that depends only on ''b''. (Specifically, ''C'' is the non-leading coefficients of the lexicographically first irreducible degree-''b'' binary polynomial with the minimal number of ones: 0x1B for 64-bit, 0x87 for 128-bit, and 0x425 for 256-bit blocks.)
# If , then , else .
# Return keys (''k''₁, ''k''₂) for the MAC generation process.

As a small example, suppose , , and . Then and .

The CMAC tag generation process is as follows:
# Divide message into ''b''-bit blocks , where ''m''₁, ..., ''m''_''n''−1 are complete blocks. (The empty message is treated as one incomplete block.)
# If ''m_n'' is a complete block then else .
# Let .
# For , calculate .
#
# Output .

The verification process is as follows:
# Use the above algorithm to generate the tag.
# Check that the generated tag is equal to the received tag.

Implementations

* Python implementation: see the usage of the AES_CMAC() function in
impacket/blob/master/tests/misc/test_crypto.py
, and its definition in
impacket/blob/master/impacket/crypto.py

* Ruby implementation

References

External links

* The AES-CMAC Algorithm
* The AES-CMAC-96 Algorithm and Its Use with IPsec
* The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
* OMA
Online Test



Rust implementation

{{Cryptography navbox , hash

Message authentication codes
Finite fields